In my introduction to Exchange Server 2010 message tracking I wrote that PowerShell provides one of the most useful and powerful ways to search message tracking logs.
Although the message tracking log explorer is fine for simple searches on a single server, it doesn’t work so well when you want to do wildcard searches, search multiple servers at once, or export data for further analysis.
For those operations PowerShell is the way to go, and frankly once you’ve seen how powerful PowerShell is for message tracking log searches you’ll probably never use the explorer tool again.
Getting Started with Searching Message Tracking Logs Using PowerShell
Message tracking log searches are performed in the Exchange Management Shell by running the Get-MessageTrackingLog cmdlet. You can run this cmdlet with no parameters on any Edge Transport, Hub Transport or Mailbox server and it will return all of the log entries on that server.
[PS] C:\>Get-MessageTrackingLog
EventId Source Sender Recipients MessageSubject
------- ------ ------ ---------- --------------
RECEIVE SMTP Ivana.Ferrary@exchangeserverpro.net {Ana.Williams@exchangeserverpro.net} Luminary asep...
DELIVER STOREDRIVER John.Tilleray@exchangeserverpro.net {Lucy.Spratley@exchangeserverpro.net} Egress concor...
RECEIVE STOREDRIVER Ambrine.Berry@exchangeserverpro.net {Lorraine.Oza@exchangeserverpro.net} Brazen
DELIVER STOREDRIVER Ivana.Ferrary@exchangeserverpro.net {Ana.Williams@exchangeserverpro.net} Luminary asep...
RECEIVE SMTP Donna.A'Bear@exchangeserverpro.net {Marc.Itoje@exchangeserverpro.net} Garble expedi...
RECEIVE SMTP Priya.Smith@exchangeserverpro.net {Melanie.Thomas@exchangeserverpro.net} Enthral boorish
DELIVER STOREDRIVER Donna.A'Bear@exchangeserverpro.net {Marc.Itoje@exchangeserverpro.net} Garble expedi...
RECEIVE SMTP Jane.Martin@exchangeserverpro.net {Charlotte.Bonsey@exchangeserverpro.net} Palate causti...
DELIVER STOREDRIVER Ambrine.Berry@exchangeserverpro.net {Lorraine.Oza@exchangeserverpro.net} Brazen
RECEIVE SMTP Yvette.Willis@exchangeserverpro.net {Jan.Marway@exchangeserverpro.net} Malign edible
DELIVER STOREDRIVER Priya.Smith@exchangeserverpro.net {Melanie.Thomas@exchangeserverpro.net} Enthral boorish
RECEIVE STOREDRIVER Joy.Singh@exchangeserverpro.net {Mary.Friel@exchangeserverpro.net} Obfuscate
HAREDIRECT ROUTING Joy.Singh@exchangeserverpro.net {Mary.Friel@exchangeserverpro.net} Obfuscate
....
You can also search a remote server using the -Server parameter. This is useful when you are running the search from your own admin workstation or a separate management server.
[PS] C:\>Get-MessageTrackingLog -Server HO-EX2010-MB2
The Get-MessageTrackingLog cmdlet also accepts input from the pipeline. This is a very convenient way to perform searches on multiple servers at once. For example to search all Hub Transport servers at once:
[PS] C:\>Get-TransportServer | Get-MessageTrackingLog
Sometimes you may wish to search the transport servers only within a particular site. Because I might need to work with that list in a few different commands I’ll usually collect those into a variable first, for example all Hub Transport servers in the “HeadOffice” site:
[PS] C:\>$hubs = Get-ExchangeServer | Where {$_.Site -like "*HeadOffice" -and $_.IsHubTransportServer -eq $true}
I can then pipe that array of servers into the Get-MessageTrackingLog cmdlet.
[PS] C:\>$hubs | Get-MessageTrackingLog
Remember Default Resultsize of 1000
Often you will be running message tracking log searches that return a lot of results. However, by default the cmdlet will return only 1000 results.
Because of this you should try to get in to the habit of using the -Resultsize parameter to return unlimited results when running Get-MessageTrackingLog.
[PS] C:\>Get-TransportServer | Get-MessageTrackingLog -Resultsize unlimited
Run Long Queries Once by Collecting Results in a Variable
When you’re performing investigative searches of your message tracking logs, particularly across multiple servers, those queries can take a long time to return the results. If you then found you needed to adjust the query, for example to be more specific, or to format the results in a different way, you have to wait a long time for the query to run a second time as well.
So a good tip is to always collect your query results into a variable, particularly very broad queries that take a long time to run, so that you can pick apart the collected data without having to re-run the query.
For example, if I want to investigate reports of email problems sending to Alan Reid, I can run one broad query across all Hub Transport servers and collect the results in a variable I will call $msgs.
[PS] C:\>$msgs = Get-TransportServer | Get-MessageTrackingLog -Recipients "Alan.Reid@exchangeserverpro.net" -resultsize unlimited
I’ve now got thousands of records that I can begin to filter and dissect in different ways without having to re-run my query.
[PS] C:\>$msgs.count 13297
For example I can find the top 10 senders to Alan Reid within seconds, instead of re-running the entire Get-MessageTrackingLog search again.
[PS] C:\>$msgs | Group-Object -Property Sender | Select-Object name,count | sort count -desc | select -first 10 | ft -auto Name Count ---- ----- Andrea.Sharma@exchangeserverpro.net 110 Richard.Bennett@exchangeserverpro.net 108 Judy.Mollo@exchangeserverpro.net 104 Ferzana.King@exchangeserverpro.net 102 Debra.Lowe@exchangeserverpro.net 100 Nicola.Noad@exchangeserverpro.net 100 Diane.Hall@exchangeserverpro.net 96 Caroline.Ball@exchangeserverpro.net 96 Chris.Majumdar@exchangeserverpro.net 96 Hugh.Sharma@exchangeserverpro.net 96
According to Measure-Command the above command took 1.3 seconds to complete, whereas the re-running the full log search again would take 47.4 seconds. By collecting the results into a variable the first time all of the subsequent analysis of that data is able to be performed much faster.
Each Single Message is Multiple Log Entries
You’ll notice as you begin looking at message tracking logs that each individual email message generates multiple log entries. This is because each message goes through multiple events in the process of getting from sender to recipient, that the number of events will vary depending on how the message needs to be routed throughout your organization, as well as whether it is successfully delivered or not.
So a single email message may record a series of events such as:
EventId Source Sender Recipients MessageSubject
------- ------ ------ ---------- --------------
RECEIVE SMTP Famida.Ghtoray@exchangeserverp... {Alan.Reid@exchangeserverpro.net} Prolix apropos embellish
DEFER STORE... Famida.Ghtoray@exchangeserverp... {Alan.Reid@exchangeserverpro.net} Prolix apropos embellish
DUPLI... STORE... Famida.Ghtoray@exchangeserverp... {Alan.Reid@exchangeserverpro.net} Prolix apropos embellish
RECEIVE STORE... Famida.Ghtoray@exchangeserverp... {Alan.Reid@exchangeserverpro.net} Prolix apropos embellish
DELIVER STORE... Famida.Ghtoray@exchangeserverp... {Alan.Reid@exchangeserverpro.net} Prolix apropos embellish
RESUBMIT DUMPSTER Famida.Ghtoray@exchangeserverp... {Alan.Reid@exchangeserverpro.net} Prolix apropos embellish
TRANSFER STORE... Famida.Ghtoray@exchangeserverp... {Alan.Reid@exchangeserverpro.net} Prolix apropos embellish
SEND SMTP Famida.Ghtoray@exchangeserverp... {Alan.Reid@exchangeserverpro.net} Prolix apropos embellish
Dealing with System.String[] in Exported Message Tracking Log Data
At some stage you will want to export some message tracking log data to CSV for further analysis in Excel. If you were to pipe the output above into the Export-CSV cmdlet you will notice that some of the fields, such as Recipients, will appear as System.String[] in the output file.
To resolve this issue you need to first pipe your Get-MessageTrackingLog results into Select-Object and select the Recipients and RecipientStatus fields like this:
... | Select-Object eventid,sender,timestamp,@{Name="Recipients";Expression={$_.recipients}},@{Name="RecipientStatus";Expression={$_.recipientstatus}},messagesubject | Export-CSV filename.csv
This will give you the correct exported data.
Examples of Message Tracking Log Searches
In the next part of this article series I’ll cover some specific examples of message tracking log searches using PowerShell.
Pingback: Searching Message Tracking Logs by Sender or Recipient Email Address
I’m trying to get a report of which transport rule was applied to an email. Can you provide a powershell command to extract this information? I have over 20 transport rules but can figure out which rule was applied.
Sorry…..typo. Can’t figure out which rule was applied.
Hi Paul,
It might be dumb to ask, is there anyway to check which Inbox rule had been processed on a particular mail with its message ID? Since a mail was moved to a subfolder but no rule was created for that.
Paul,
Is there a way to search the Exchange Logs for messages with multiple recipients and get a count of how many recipients are included per email? We are most interested in messages Sent from Exchange, but would also like to see inbound email as well. Inbound is not as important, I think we can use our SPAM filter for those…
Thanks,
Greg
Hi Paul
i ran the logparsar command against smtp relay logs and i found the result like
sender 2500 and recipient 4100. why both result showing different. is this correct and i did something wrong here.
Thanks
Rani
Get-transportserver | Get-MessageTrackingLog -ResultSize Unlimited -Start “7/10/2019 07:00AM” -End “7/10/2019 09:55AM” -Sender “sender@hotmail.com” -Recipient “Recipient@domain.com” | Select-Object eventid,sender,timestamp,@{Name=”Recipients”;Expression={$_.recipients}},@{Name=”RecipientStatus”;Expression={$_.recipientstatus}},messagesubject,Source, EventData | Export-CSV c:\temp\filename.csv
exchange 2013, i run this but eventdata is showing “System.Collections.Generic.KeyValuePair`2[System.String,System.Object][]” any hint , rest is fine but i want to get event data as well to be export
Hi can you help me with an exchange script for 2010 version to export tracking results to csv like delievery receipts?The typical 2.5.1. OK in exchange, to know if the outside users of the organization are all receiving the emails?
Best regards!
Resolved
just enter this parameter RecipientStatus
following is the command used
Get-MailboxServer SRV* | Get-MessageTrackingLog -Recipients mailbox@local.domain -EventId “DELIVER” | ft -AutoSize -Wrap Sender,timestamp,RecipientStatus
regards
Hello to all
it is possible to carry out a tracking and understand in which folder the mail object has been delivered.
in the sense that, instead of the inbox, it has been placed in one of its subfolders or other
Thank you in advance
Resolved just enter this parameter RecipientStatus
following is the command used
Get-MailboxServer srv* | Get-MessageTrackingLog -Recipients mailbox@domain.local -EventId “DELIVER” | ft -AutoSize -Wrap Sender,timestamp,RecipientStatus
for the exchange 2013
🙂
regards
Hi Paul ,
Thanx for article,
I have user , who want to see a specific periods mail like Jan-Feb-Mar 2015 and exported to csv,
I am giving this cmdlts on poweshell but results file showing 0
Get-MessageTrackingLog -Server xyzmail -ResultSize unlimited -Sender “mailtest@xyz.com” -Start “08/10/2017 09:00:00” -End “08/10/2017 23:59:00” Export-CSV C:\MessageTrackingLog.csv
-Start “01/10/2015 09:00:00” -End “03/10/2015 23:59:0
The Real Person!
The Real Person!
If your server doesn’t have any message tracking logs from 2015 then you’ll get no results. The logs are retained for 30 days by default.
Paul,
Thanks for this article!
The section “Dealing with System.String[] in Exported Message Tracking Log Data” solved an issue I’d been searching around for several hours trying to resolve.
When I stumbled on this post, used the method and then saw the output… that made my day.
Thanks again!
Hi Paul Thanks for the response.
We have a business request from compliance team with the below details
Some of the info needed by accounts
Amount of emails received
Number of Email received with attachments
Size of attachments
Mail Retention and general mail rules and filters
Is there any way to provide the details by using exchange shell command.
The Real Person!
The Real Person!
Message tracking logs can be used to estimate the number of emails received, but they do not track whether attachments exist or what size the attachments are. I don’t know what specifically you need for the “mail retention and general mail rules and filters.”
Sounds like you need to research some third party reporting tools and help your compliance team choose one that can be installed to provide them the details they need.
Hi Paul,
I’m trying to build a matrix each day of senders and recipients at my company, for analysis by a visiting professor for their research. She wants the following matrix:
___________ Recipients ->
___________ a@ab.c | b@ab.c | c@ab.c …
V Sender
a@ab.c______0_________0________2
b@ab.c______3_________0________1
c@ab.c_______0________0________0
.
.
ie every email address and the number of times it sent an email to every other email address!
I’m pretty sure the data is contained in a file I have generated using this command:
Get-TransportServer | Get-MessageTrackingLog -ResultSize Unlimited -Start “12/19/2016 12:00:00 AM” -End “12/20/2016 11:59:00 PM” | select sender, {$_.recipients}, recipientcount | Out-File “C:tempEmail_DB_Query.txt”
Except that it is 1.5Gb and I can’t do anything with it.
I am wondering if there is a way you know of, or a resource you can point me to, to help me write conditional code into the Powershell script that will just build the matrix with a counter for each sender and each recipient entry.
Something that output:
a@ab.c c@ab.c[2]
b@ab.c a@ab.c[3],c@ab.c[1]
..
I am further inhibited by not being allowed direct access to the exchange server, and I am also trying to do this at a company in Vietnam.
It’s sort of like assembling a model ship in a bottle, in a foreign language! Any help or guidance would be much appreciated!
Paul,
Thanks for a great article, and glad you are still active on it. I am really hoping you could help with this. Occasionally a manager/employee will send an email to a lot of people (1,000s) (either on accident or purpose) and we have to track who they sent to and then pull the emails. When tracking, we normally have to pull the list of who they sent it to and then use Word/Excel to manipulate the file to get each address on a single line to be used in a pull script. Eventually, we would like to script it to where the results are stored in a variable and then sent to a pull command automatically.
(As a bonus, anyway to remove duplicate email addresses? – Currently we use Excel to do this).
Is there a way to get a single address per line? Here is what we have been using (with the help of this article) – but as you can see it returns multiple addresses per line.
Get-ExchangeServer | where {$_.isHubTransportServer -eq $true} | get-messagetrackinglog -start “11/11/2016 5:15AM” -End “11/11/2016 8:10 AM” -sender “Tim.doe@company.com” -MessageSubject “Payroll for company” -EventID “Deliver” -ResultSize Unlimited | Select-Object @{Name=”Recipients”;Expression={$_.recipients}} | Export-CSV filename.csv
Here is results…
“Recipients”
“Jane.doe@company.com”
“Jack.doe@company.com”
“John.doe@company.com Jill.doe@company.com Lily.doe@company.com Nick.doe@company.com Nin.doe@company.com Apple.doe@company.com Billy.doe@company.com Alfred.doe@company.com Sally.doe@compnay.com”
“Hank.doe@company.com Cathy.doe@company.com Ray.doe@company.com Sam.doe@company.com Henry.doe@company.com Rose.doe@company.com”
“Rich.doe@company.com Nate.doe@company.com Nancy.doe@company.com Sid.doe@company.com”
etc…
etc…
The Real Person!
The Real Person!
You would just need to write some extra code to handle $_.Recipients and split up multi-value results into unique email addresses.
I’d also recommend you start writing a script, rather than try to jam everything into a one-liner.
Pingback: Exchange Powershell Tip #13 | Exchange Server Share
how do I find out who it was that sent an attachment to another user?
I need to search in all of the user’s outbox, looking for that attachment.
Can you help me ?
Hi,
very good article. I have problem with count send messages. This is my part of script
$msg = Get-MessageTrackingLog -server myserver -resultsize unlimited -eventId Send -Sender $_.emailaddress -Start 9/1/2016 -End 9/30/2016 | Where-Object {$_.recipients -like $rekord}
$msg.count
I want count only send messages. When $msg has only one entry (one e-mail was sent) $msg.count don’t show anything. When $msg has more than one entries it work fine. How to count it?
The Real Person!
The Real Person!
Use an array if you’re not sure whether it will return 1 or more results.
$msg = @(your code)
Great work, keep doing it!
Thank you for this awesome article Paul. Have been following your posts and powershell scripts. Thank you for making our admin jobs a lot easier.
Hi,
Is there a way to run these searches against logs that have been moved to another location? I’m a new admin, and my manager wants me to increase message logging from the default 30 days to 365 . This will require space which we do not have locally. I’d like to set the logging for 6 months, then make a script to just move current logs to another location on the network. But I’m not sure how to search them once they’ve been moved. I appreciate your help!
why the ” client IP” in message tracking field is always empty – this is the most important data “needed” when tracking an incident?!!! – please help!
The Real Person!
The Real Person!
Client IP in message tracking entries doesn’t tell you the IP of the workstation where an email was sent from.
why the message tracking field is always empty – this is the most important data when tracking an incident?!!!
Hi Paul,
First off, your site has saved me many times and I am a frequent visitor.
I’m looking for a way to determine if secondary smtp addresses that are associated to DL’s are being used or not. I have run this script:
Get-MessageTrackingLog -Start 1/1/2015 -EventId Expand | group-object RelatedRecipientAddress | ft Name,Count -Autosize
and it returns the PrimarySmtpAddress of the Distribution Group. Is there a way to get it to return the actual address the message was sent too?
I am trying to determine which aliases I can retire.
Thank You,
Jake
The Real Person!
The Real Person!
Not reliably, because once the email gets into the pipeline all the log entries will start showing the primary SMTP address. I think one of the very early events might show the alias used, but I wouldn’t count on it.
If you don’t want an address being used any more, remove it and make the emails bounce.
But the question IS: are there still messages send to an alias email address?
(Before I remove an alias email address.)
Pingback: Troubleshooting Email Delivery with Message Tracking
thanks guys for all this work
Can someone help me to find a solution (pshell, vbs…) that is able to count the number of smime message in exchange 2010 tracking logs
thanks a lot
Nevermind my last reply. The message itself is a spam. I searched inbound messages in Barracuda SPAM filter with that subject and discovered the senders to block.
Hi,
I have tracked some messages using Get-TransportServer | Get-MessageTrackingLog to search for messages sent to outside recipients that appear to be spam. There are multiple messages and each from different sender.
I noticed under Reference, there is a weird email address. Please help understand where the messages are sent from and how.
Thank you
RunspaceId : b06e59c4-4f67-46e8-8233-b1097f3e88ad
Timestamp : 6/24/2015 10:30:51 AM
ClientIp :
ClientHostname :
ServerIp : ::1
ServerHostname : EX-CAS1
SourceContext : 594431127398121473
ConnectorId :
Source : MAILBOXRULE
EventId : RECEIVE
InternalMessageId : 5011620
MessageId :
Recipients : {sunriselive@elfarorestaurante.com}
RecipientStatus : {To}
TotalBytes : 9971
RecipientCount : 1
RelatedRecipientAddress :
Reference : {}
MessageSubject : Automatic reply: stop spamming me
Sender : peckh@mydomain.org
ReturnPath :
MessageInfo : 03I:
MessageLatency :
MessageLatencyType : None
EventData :
Pingback: About My Blog | sasda Noeusour
Hi, my question is if I restore the tracking logs, I can read with some tool?
I understand that I can not read the Tracking Log Explorer, or I can do some trick to read?
Thanks a bunch Paul,
I was absolutely clueless why recipient column was not getting exported properly, piping select-object cmdlet saved my soul.
Cheers,
Dhananjay
Hey Paul:
Nice site. Im looking for a way to do the following:
Get a list of all DL’s with a particular sub-domain. We are corp.com and I only need av.corp.com
The managed by for each one
Recent activity (message received)
Any help will be appreciated!
Thanks, Chris
Pingback: dailystrength.org
Pingback: meilleurjeuhacks.wordpress.com
Hi Paul,
We have single mailbox server with 20 databases. we are placing mailboxes according to the user’s OU location. Is it possible to have automated script to create mailboxes with two specifications
alias should be first. lastname and mailbox database should be as per user’s OU. My requirement is by providing user’s displayname or UPN it should check the OU location and create mailbox with respective mailbox database given in the script.
I am using the following to gather the smtp addresses of the mailboxes in the OU:
get-mailbox -resultsize unlimited -OrganizationalUnit “*Sharepoint*”|select-object primarysmtpaddress > MailboxesInOU.csv
I am then trying to pipe this into the Get-MessageTracking cmdlet using the following, but it is pulling the information from all of the mailboxes, not just those in the OU. I am fairly new to scripting. Is there something fairly simple that I am missing?
Import-csv MailboxesInOU.csv | foreach {get-messagetrackinglog -recipient $_.primarysmtpaddress -resultsize unlimited |select-object recipients,timestamp |sort timestamp –descending} > OUTrackLogs.csv
Hi Paul.
Thanks. Lots of good information here. Would you happen to know how I can pull the message tracking logs (recipient and timestamp only) for all mailboxes in a specific OU?
I’ve tried various combinations of commands, but no luck, so any help you can provide would be most appreciated.
Thanks again.
The Real Person!
The Real Person!
The Get-MessageTracking cmdlet has no way of filtering to a particular OU of mailbox users. Remember, it is basically querying text/log files. If you wanted to query the message tracking logs for an OU of users you’d need to write a script that pulls *all* of the email addresses from those users then runs Get-MessageTracking queries to retrieve the results.
So the short answer is, yes it’s possible but requires some custom scripting.
Hi
I have migrated from Exchange 2007 to Exchange 2013 and I have removed Exchange 2007. How can I open message tracking logs from Exchange 2007 I have backup from Exchange 2007 hub servers?
S
The Real Person!
The Real Person!
A message tracking log file is basically just a text file in CSV format. You can open it with Notepad or import it as a CSV into Excel. You can also search it with tools like Log Parser, Findstr, or PowerShell’s Select-String. Or really any text parsing utility.
Hi Paul
I have something similar to Mason.
I have Exchange 2003 and Exchange 2010 (CAS/HT Test box) and another Exchange 2010 (Live CAS/HT).
The ex2010 (Test) has smtp Relay has two IPs to it. The secondary ip i have moved to the live environment on a new smtp relay. However i see exchange 2003 server is still using this old smtp relay however i cannot see anything on the ex2003 to be using the old smtp relay on the other ip. Is this something to do with the routing group connector?
The Real Person!
The Real Person!
Possibly the RSG, sure. Check the RSG source/target servers.
Hi Paul
Thanks for confirming, i removed the RGC and traffic stopped hitting the connector and is now flowing through the other receiver on new exchange (CASHT) box.
Kind Regards
Tom
In our environment we have a new Exchange 2013 envrionment setup but all forwarding is still going through the old Exchange 2010 environment. I’m looking for a way to determine what users are still only using the old Exchange 2010 system (i.e. a way to parse traffic to not include the forwarded traffic). Do you know of an easy way to do this via Powershell?
Thanks in advance!
Mason
The Real Person!
The Real Person!
Depends what you mean by “forwarding”.
Here’s the scenario. We have our old domain running Exchange 2010, we’ve since migrated all of our users to the new domain, running Exchange 2013. On the old system we have SMTP forwarding setup to forward mail to the new system. On the new system we have transport rules setup to check and see if mail has been delivered to the old address, if not then it forwards the email. This has worked out well for our relatively small 500+ user environment but now I’m stuck with the task of trying to determine which users still utilizes the old system.
I followed your other article (https://www.practical365.com/exchange-2010-report-top-sender-ips-log-parser/), which was very informative and helpful, however the IPs returned are only for load balancers or other Exchange Servers and not actual end users.
I have a feeling there is a way to do it via IIS logs but any guidance you can provide is greatly appreciated 🙂
I should also note the new system is an entirely new Windows 2012 domain as well. So when I said users were migrated thats a bit inaccurate, they were essentially recreated I suppose.
Actually, I think I figured it out. If you parse the IIS logs from the old email server for “SendAs=SMTP” or “ActAs” it seems to show what I’m looking for. If you have any other tips I’ll take them but thanks for taking a look regardless!
The Real Person!
The Real Person!
No other suggestions right now. I’m still trying to visualise your scenario properly. Sounds a bit difficult, but I’m sure you had good reasons to do a whole new domain.
If all your users are migrated to the new server I guess there is no reason why any mail should be flowing through the old server now… unless you’ve still got MX records or other servers/apps still using that server for SMTP. In which case that log parser tip you already found is how I tend to investigate that.
Dear Paul,
can you please help me what permission we should have to run “Tracking Log Explorer” option in exchange 2010 Sp2 Rollup 6.
Regards,
Atul
HI Paul.
How do i find number of items they’ve sent in say the last 2 weeks ?
AS
Hi Paul,
Great Article buddy
However i would like to know is there any way to get the count of mails which are holding the attachments in HUB Server through GUI/Powershell
The Real Person!
The Real Person!
Message tracking logs don’t record whether an email had an attachment or not, but you could estimate it by the total size of the message.
https://www.practical365.com/exchange-2010-message-tracking-log-search-powershell/#comment-13245
This might help
If the sender is an internal user then search for “X-MS-Has-Attach: yes” under header, of course it can also be a signature (logo) added , not necesary a document
Hey guys, have you ever had this scenario? User opens a ticket complaining that her attachment is missing. The unix guys say (and show) that they delivered the attachment with the message in their logs. Now management is asking in the Message Logs in Exchange show that the attachment was delivered to the MAILSTORE. I’ve looked around but I don’t think the MessageLogs show that.
— Any hints or successes in this area???
Great info Paul! I have a scenario that I’m trying to work out. I have a list of mailboxes that I need to find the total sent and received on a particular day. How would you import the list and for each look through the message tracking logs?
Thanks
Dawn
Hi,
Ive used this document a few times, very useful.
But what about finding emails of certain sizes. We have high limits internally & externally (100Mb), we are considering lowering them. But I wanted to report on say how many emails to/from/within the org were over a size of say 25Mb and 50Mb. That way I can understand the impact to the business.
Thanks,
Gareth
The Real Person!
The Real Person!
Message tracking logs record a TotalBytes value that could be used for this.
Or perhaps use Exchange Web Services to inspect actual mailboxes, though I don’t have any samples for that.
Hi Paul:
Your PS command ” … | Select-Object eventid,sender,timestamp,@{Name=”Recipients”;Expression={$_.recipients}},@{Name=”RecipientStatus”;Expression={$_.recipientstatus}},messagesubject | Export-CSV filename.csv ” is a great life saver. It gave me most of the data I am looking for when tracking the message logs.
I tried to add the following to get delivery status “@{Name=”DeliveryStatus”;Expression={$_.DeliveryStatus}}” with no external quotes offcourse. However, I am not able to get delivery status. Is there any trick to get delivery status to confirm if a message is delivered or failed to deliver to the intended recipients?
Hi all,
Do you guys know a powershell command to track a message from a specific sender? What I need to pull out is the: : InternalMessageId,TimeStamp and Message Size in MB
Any thought? I’m kind of new working on PS
The Real Person!
The Real Person!
Here’s some tips on searching message tracking logs by sender/recipient:
https://www.practical365.com/searching-message-tracking-logs-by-sender-or-recipient-email-address
Paul,
Great article.. I’m being asked to determine how much mail is being processed on a daily basis by our exchange 2010 SP2 organization, in MB/GB. I use SCE 2010 and it can give me number of emails and things like that. I just need simple number like we processed 1.5GB of mail today?
thanks
John
Pingback: Speed Up Multi-Server Message Tracking Log Searches with PowerShell Remoting
Pingback: Tofa IT » Searching Message Tracking Logs by Email Subject
Pingback: Searching Exchange Server Message Tracking Logs by Email Subject
Pingback: MS Exchange 2010 Message tracking log – send, receive message « marwin.e-blog.cz
HI Paul, I have a little bit query, how we can track message on the basis of recipient basis.
exm:- how many users sending mails more than 100 recipient in a mail.
Regards.
Sukhdev
Just had an urgent need to prove which messages were redirected over a set period, and this easy-to-use article got me straight there.
Thank you for a really useful article!
Great article Paul. your site has helped me through Exchange migrations , starting with power shell and a host of other Exchange issues Ive had. Awesome resource, thanks a million !
Hello Paul.
Very nice article. I refer to this page often.
I was wondering if you had any idea or any reference links on exporting these logs to a syslog server using clog-sh?
Pingback: Searching Exchange Server 2010 Message Tracking Logs with PowerShell « Fabio Pecinho
Pingback: PowerShell: Reporting Exchange 2010 Message Tracking Event IDs
Hello Paul,
Good article, thanks.
It would be better if we could get via powershell only the failed message logs which did not deliver to the internal users from external world.
Great article, going to send this around work so I don’t have to do so many searches!
The other handy thing to include would be to indicate what each event equates to- as you say each message will have multiple events, might be good to include a quick “mail flow by events”. So for example, you can get distribution group stats by looking at the EXPAND event.
Also, does -expandproperty not work for recipients?
The Real Person!
The Real Person!
Not sure about -Expandproperty yet. I’ve been tinkering with it but haven’t got it working in the scenarios I’ve tried so far.
Thanks
very nice article
Hi, nice article.
I’v been trying to search multiple HUB and CAS with the help of:
Get-TransportServer | Get-MessageTrackingLog
The problem I’m facing is that I can’t get the result presented in the right timeline. It searches one server at a time and present the findings the same way. So when looking at the searchresult it is not so easy to follow the message.
The Real Person!
The Real Person!
Piping into “… | Sort-Object timestamp” will put all the results in order.
Also, when I’ve identified a specific messageID I want to track I’ll filter my results down to just that messageID, eg
$msgs | where {$_.messageid -eq “themessageid”} | Sort-Object timestamp | Format-List
Hey Paul, when I am trying to search in all hubs at single shot, getting errora as exchange transport log search service at other hub servers are not running. Infact it is running normal. Sometimes, winrm service is not ableto access..
Whatmight be issue. Note my orgz is large with 100+ servers with 10 sites
The Real Person!
The Real Person!
Firewalls perhaps?
For the winrm issues, you’ve confirmed remoting is enabled?
Dear Paul,
We have exchange 2010 system and we spam attacked so where we see that we have spam attacked?
it’s possible block spam in EDGE Server in Anti Spam feature?
Thanks!!
The Real Person!
The Real Person!
Edge Transport has some anti-spam features but they are not as effective as a proper anti-spam product or service, such as Exchange Online Protection.
Hi Paul ,
I would like to know If I can track any email which didn’t have a header ? Like email which received from Sykpe for Business that contain the conversation .
Thanks, ;
$msgs | Group-Object -Property Sender | Select-Object name,count | sort count -desc | select -first 10 | ft -auto
Hello This command does not show anything, what is a reason of this? ( Exchange 2010)
Hello Paul,
Need some help related to spam.
There was a spam attack in our organization.
How can we prevent that from happening.
What permissions can be given to the security team to get an alert for malicious or suspicious mails?
Is creating moderator a feasible option?
On EOP what permissions can be given?
Is there a way to terminate the session if we are suspecting an malicious attack?
Pingback: Introduction to Exchange Server 2010 Message Tracking